SiteShadow
Back to vulnerability library
Detected byCWE-aware static analysisPro

CWE-201 Sensitive Data in Sent Data

Coverage status: Background only, this CWE is in scope but has no rules in the SiteShadow rule registry. Taint and heuristic analyzers may flag related patterns; see the coverage report and known gaps for the authoritative list.

What this means

SiteShadow flagged sensitive information being included in data sent outside the trusted boundary (HTTP responses, emails, webhooks, third-party API calls, analytics events).

Why it matters

Sensitive data in responses can be intercepted or misused.

Safer examples

1) Return only what the client needs (DTO allowlists)

res.json({ id: user.id, name: user.name }); // not the full user object

2) Strip sensitive fields before sending to vendors

For analytics/telemetry, avoid raw emails, tokens, auth headers, and full request bodies.

3) Treat outbound payloads as "public by default"

Assume anything sent out of process can be stored forever.

How SiteShadow detects it (high level)

References

---

← Back to Vulnerability Library

Catch this with SiteShadow Pro.

This vulnerability class is detected by SiteShadow's Pro-tier engines, two-pass interprocedural taint analysis, heuristic flow checks, AI-context scanning, and cross-file detection. The free tier catches OWASP Top 10 single-file patterns; Pro adds the data-flow depth that finds this class of bug.